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Abstract 

Two arbitrated quantum signature schemes, one with message recovery and the other with 
appendix, are proposed. The two proposed schemes need not prepare quantum entanglement 
states, do not require comparing qubits, only require von Neumann measurement, and have a 
significant property that both the signatory and the receiver can share and use a long-term secret 
key with the arbitrator by utilizing the key together with a random number. In addition, the 
proposed scheme with message recovery can ensure the confidentiality of the message and achieve 
a higher transmission efficiency, while the proposed scheme with appendix can sign classical mes- 
sages of any length by using the hash function to generate digests. Therefore, the efficiency of 
the two proposed schemes are greatly improved. Furthermore, we applies the quantum signature 
to quantum payment and propose an on-line quantum payment system. 
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Quantum cryptography depends on fundamental quantum-mechanical law to provide unconditional 
security for communication. The idea of applying quantum mechanics to cryptography was first 
introduced in the 1970s by Wiesner (published in 1983) pQ. Bennett and Brassard developed the 
idea by proposing the famous quantum key distribution protocol in 1984 [2]. Since then, a range of 
quantum cryptographic protocols have been extensively studied, such as quantum key distribution [2l 
121 H] > quantum secret sharing [5] , quantum authentication [B] , quantum bit commitment J\ , quantum 
oblivious transfer [3] and quantum signature [HI OH [HI E21 EH Efl E3- Especially, quantum key 
distribution has been proven to be unconditional secure both in theory and in practice [HI [T71 [TS] . 

Digital signature, as an electronic equivalent to hand-written signature, is an essential crypto- 
graphic primitive and particularly useful in electronic commerce. A valid digital signature can be 
used to authenticate the identity of the originator, ensure data integrity and provide non-repudiation 
service. Most classical signature schemes are designed based on certain unproven computational 
assumptions such as the infeasibility of factoring large integers and solving discrete logarithm. Un- 
fortunately, quantum algorithms are capable of factoring large integers and solving discrete logarithm 
|19j . Fortunately, quantum signature (QS), whose security relies on quantum- mechanical law rather 
than on computational assumptions, promises to provide an alternative to classical signature. 

Gottesman and Chuang proposed a QS scheme based on quantum one-way functions [5], which 
was absolutely secure even against quantum attack. However, their scheme is not an efficient scheme 
as signing an m-bit message uses up 0(m) qubits of the public key. Zeng and Christoph presented an 
arbitrated QS scheme utilizing the correlation of the Greenberger-Horne-Zeilinger (GHZ) states and 
quantum one-time pad [10] . Lee et al. proposed two arbitrated QS schemes with message recovery 
based on GHZ states and the utilization of quantum one-time pad [11 . One scheme uses a public 
board and the other does not. Lii and Feng presented two arbitrated QS schemes which could sign 
unknown quantum states using quantum stabilizer codes |12U13j . Wang et al. designed an arbitrated 
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QS with message recovery [T3] and an arbitrated QS with appendix [T5] without using entangle effect, 
thus the efficiency of the schemes is improved. 

However, almost all previously presented arbitrated QS schemes [TUJ EEl HH EH HI US] did not 
consider how to reuse the shared key between the signatory and the arbitrator or between the receiver 
and the arbitrator. In fact, if each time when a signatory needs to sign, he has to obtain a new key 
shared with the arbitrator through quantum key distribution protocol such as [21 [31 0] , the efficiency of 
the QS protocols would be considerably affected. In this paper, we propose two arbitrated QS schemes, 
one with message recovery and the other with appendix, based on the work of the Hwang et al. about 
three-party authenticated quantum key distribution [20 . In the proposed schemes, no quantum 
entanglement states are used, comparing qubits is unnecessary, only von Neumann measurement is 
required, and both the signatory and the receiver can share and use a long-term secret key with the 
arbitrator. Besides, in the proposed scheme with message recovery, the confidentiality of the message 
can be guaranteed and a higher efficiency in transmission can be obtained, while in the proposed 
scheme with appendix, classical messages of arbitrary length can be signed by employing hash function 
to encode the message into quantum information of fixed length. Therefore, the efficiency of the 
proposed schemes are greatly improved. Furthermore, we construct an efficient on-line quantum 
payment system utilizing the proposed arbitrated QS. 

The rest of the paper is arranged as follows. In Section 2, we describe the preliminaries. In Section 
3, two arbitrated QS schemes, one with message recovery and the other with appendix, are proposed 
and their security and efficiency arc analyzed. In Section 4, an on-line quantum payment system is 
presented based on the proposed arbitrated QS. Finally, conclusions are drawn in Section 5. 

2 Preliminaries 

Before presenting our results we briefly depict basic knowledge about QS, and introduce some nota- 
tions for understanding conveniently. 

QS, as an analogy to manuscript signature and classical signature, should have the ability to 
authenticate the identity of the originator and make sure that the original content of the message has 
not been changed. Two secure requirements should be satisfied even if powerful quantum cheating 
strategies exist: one is that the attacker (including the malicious receiver) can not forge the signature 
and the other is the impossibility of disavowal by the signatory. 

Generally, QS can be divided into two categories: QS with message recovery and QS with appendix. 
In the QS with message recovery, the signatory only sends the signature and later the receiver can 
obtain the original message by utilizing the secret information from the signature. While in the 
QS with appendix, the signatory sends both the signature and the message, so anyone can get the 
message. 

The notations, which are necessary to better understand the subsequent results, are given as 
follows. 

1. Uf. The fc-bit identity string of one participant. Ua, Ub and U a represent the identity of Alice, 
Bob and the arbitrator, respectively. 

2. hi(-), fi2(-), fi3(-): The one-way functions, where /ii(-) denotes the mapping {0, 1}* — » {0, l} mi , 
h 2 {-) denotes the mapping {0, 1}* -> {0, l}™ 2 and h 3 (-) denotes the mapping {0, 1}* -> {0, l}™ 3 . 

3- T{ G_r {0, 1}': The Z-bit string randomly chosen by the participant t/j. 

4. Ki\ The secret key string shared between the arbitrator and the participant Ui. The length of 
the secret key string is n\ in the proposed QS with message recovery and ni in the proposed QS with 
appendix. Note that n\ = I + m\ and n-i = I + 777,3. 

5. P: The n-bit message string. Notice that mi = n + 7772 + k and 7773 = I + k. 

6. ri||i?i: The concatenation of the string and the string Ri. 

7. str\ = str2'. The equality between each bit of the string str\ and that of the string sir^. 

8. str\ © str2'. The bitwise XOR operation between the string str\ and the string sir 2 



2 



3 The proposed arbitrated QS schemes 



In this section, we propose two arbitrated QS signature schemes, one with message recovery and the 
other with appendix, and analyze their security and efficiency. The basic idea of the arbitrated QS 
scheme with message recovery is similar to that of the scheme with appendix. The main difference is 
that the signed message is confidential in the first scheme, while public in the second scheme. Different 
kinds of QS influence the situations they are applied in. The presented schemes include three phases: 
Initializing phase, Signing phase and Verifying phase. Three partners, namely the signatory Alice, 
the receiver Bob and the arbitrator, are involved. 

3.1 Arbitrated QS scheme with message recovery 
A. Initializing phase 

Alice shares her m-bit secret key Ka with the arbitrator through quantum key distribution pro- 
tocols [2j |3l 2] proved as unconditionally secure [HI [17l [18] and Bob obtains his ni-bit secret key K B 
shared with the arbitrator in the same way. K A represents the ith bit of the secret key K A . Besides, 
Alice, Bob and the arbitrary share two hash functions: h\ and /i2- 
JB. Signing phase 

Alice randomly chooses a number r A &r {0, 1}' and computes Ra = h\(K A , r A )(B{P\\h 2 (P, ta)\\Ua). 

Alice generates her signature by encoding r^H-fiU according to her secret key Ka, denoted as 
\S A ) = M KA (r A \\R A ). If K\ = 0, \S\) is |0> (or |1» when (t a \\Ra) 1 = (or 1). If K\ = 1, \S A ) is 
|+> (or |-)) when (r A ||i? A ) J = (or 1). 

Alice sends the signature \S A ) to Bob via quantum channel. 
C. Verifying phase 

After Bob receives the signature \Sa), Bob chooses a random number r B Gr {0, 1} ; and a random 
filling string F B Gr {0, \} n + m \ Then Bob computes R B = h(K B , r B ) © (F B \\U B ). 

Bob obtains the qubit string by encoding r B \\R B based on his secret key K B in the same way as 
Alice does in the signing phase, denoted as \y B ) = Mk b (tb\\Rb)- 

Bob transmits the signature \Sa) and \y B ) to the arbitrator using quantum channel. 

The arbitrator measures the received qubits \Sa) depending on the secret key Ka shared with 
Alice. If K A = the qubit is measured in the basis R\ otherwise measured in the basis D. Once the 
arbitrator gets the measuring outcomes r' A \\R A , he computes P'\\h2(P,rA)'\\U' A = hi(K A ,r' A ) © R' A . 
Thus he can recover the message P' and verify whether it has been changed by computing h2(P', r' A ). 
The value of Ua also can be verified. If fi2(P,r A )' = h 2 {P',r' A ) and U' A = Ua he sets /x a = 1, 
else fi a = 0. Similarly, the arbitrator measures the received qubits \y B ) depending on the secret 
key K B shared with Bob. When the arbitrator gains the measuring results r' B \\R' B: he computes 
F' B \\U' B = hi(K B ,r' B ) © R' B . Then he checks whether U' B equals U B . If U' B — U B he keeps /if, = 1, 
else fib = 0. 

If /!& = 0, the arbitrator rejects Bob, confirms it to Alice and aborts the protocol. Otherwise the 
arbitrator does the operations as follows. He randomly chooses a number r a G_r, {0, l} 1 and computes 

= hi(K B ,r a )(B(P \\h2(P,r a , fi a , F' B )\\U a )- Then he encodes r a \\R a according to the secret key K B 
and gets the result \y a ) = M KB (r a \\R a ). 

The arbitrator sends \Sa) and \y a ) to Bob with quantum channel. 

Bob decodes the qubit string \y a ) relying on the secret key K B and obtains r„||i?„. Then he 
computes P'\ \h 2 {P, r a , fi a , F' B )'\ \U' a = hi(K B ,r' a ) © R' a . Thus he can recover the message P' and 
check either h 2 (P,r a , fi a , F' B )' = h 2 (P' ,r' a ,l, F B ) or h 2 (P,r a , » a , F' B )' = h 2 {P' ,r' a ,0,F B ). The value 
of U a also can be checked. If h 2 {P, r a , fi a , F' B )' = h 2 {P' , r' a , 1, F B ) and U' a = U a Bob would trust the 
arbitrator and accept Alice's signature \Sa) of the message P. Otherwise he discards \Sa) and should 
restart the protocol. 

3.2 Arbitrated QS scheme with appendix 
A. Initializing phase 
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Alice and the arbitrator share their n 2 -bit secret key K a employing unconditionally secure quan- 
tum key distribution protocols [3J [4] . Bob shares his n,2-bit secret key Kb with the arbitrator in 
the same way. In addition, Alice, Bob and the arbitrary share one hash functions /13. 

B. Signing phase 

Alice randomly chooses a number ta £r {0, 1}' and computes Ra = H^Ka, ta, P) © (taWUa)- 
Alice obtains her signature \Sa) = Mk a (ta\\Ra) by encoding Ta \\Ra based on her secret key Ka- 

If K\ = 0, \S\) is |0) (or |1)) when = (or 1). If K\ = 1, \S A ) is |+) (or |-» when 

(r A \\RA) l = (or 1). 

Alice sends the signature \Sa) followed by the message P to Bob. That can be accomplished by 
transmitting \Sa) with quantum channel and P with classical channel, or by transforming P to qubits 
\P) according to the basis R and then sending \Sa) and \P) using quantum channel. 

C. Verifying phase 

After Bob receives the signature \Sa) and P, Bob randomly chooses a number rs £r {0, 1}'. Then 
Bob computes Rb = hs(KB,rB) © 0"b||£7b)- 

Bob obtains the qubit string \ys) — Mk b {tb\\Rb) by encoding tb\\Rb relying on his secret key 
Kb with the identical method as Alice does in the signing phase. 

Bob transmits the signature \Sa), \vb) and P to the arbitrator. 

The arbitrator measures the received qubits \Sa) depending on the secret key K a shared with 
Alice. If K l A — the qubit is measured according to the basis R; otherwise the basis D. After the 
arbitrator gains the measuring outcomes r^||i?^, he computes r A \\U' A = h 3 (K A ,r' A , P) R' A . Thus 
he can verify whether r A \\U' A — r' A \\U A . If they are equal, he sets fi a = 1, else \i a — 0. Similarly 
the arbitrator measures the received qubits \ys) based on the secret key Kb shared with Bob. When 
the arbitrator gets the measuring results r' B \\R' B , he computes r B \\U' B = h 3 (KB,r' B ) © R' B . Then he 
checks whether r B \\U' B equals r' B \\UB- If r B \\U' B = r B \\UB he keeps fib = I, else fib = 0. 

If fib = 0, the arbitrator denies Bob, confirms it to Alice and aborts the protocol. Else the 
arbitrator performs the following operations. He chooses a random number r a S_r {0, 1}' and computes 
Ra = h3(KB,r a ,P,n a ) © (r a \\U a )- Then he encodes r a ||i? a based on the secret key Kb and obtains 
the result \y a ) = M KB (r a \\R a ). 

The arbitrator sends \Sa), \y a ) and P to Bob. 

Bob measures the qubits \y a ) relying on the secret key Kb and gains r^||i2^. Then he checks 
whether r' a \ \U a — h 3 (KB, r' a , P, 1) © R' a . If they are identical, Bob could believe in the arbitrator and 
accept \Sa) as Alice's signature of the message P. Otherwise he discards \Sa) and should perform 
the protocol again. 

3.3 Security analysis of the arbitrated QS schemes 

The security of the QS scheme generally involves two aspects: one is that the attacker (including the 
malicious receiver) can not forge the signature and the other is the impossibility of disavowal by the 
signatory and the receiver. Besides, the arbitrator should be trustworthy in an arbitrated QS scheme. 
Since the proposed schemes use one-way hash functions to map classical bit string of any length to 
that of fixed length and to authenticate partial information, we cannot evaluate the security precisely. 
However, all the transmitted data are encrypted and in the forms of random nonorthogonal quantum 
states, the attacker cannot obtain the useful information without disturbance [21 . If substantial 
disturbance occurs, the protocol could be aborted. If such abnormal actions occurs ^ mal times (^ mQa; 
may be agreed before the protocol), the participants may consider key exposure; otherwise we assume 
the key will not be exposed in the proposed protocols and analyze the security of the proposed schemes 
as follows. 

Impossibility of forgery Assume that the attacker A attempts to counterfeit Alice's signature. 
Then he has to learn the secret key Ka shared with the arbitrator. However, that is impossible due 
to unconditionally secure quantum key distribution. Hence, he can not get ta and Ra which will 
be used in the verifying phase. If either of them is wrong, the arbitrator will discover the forgery. 
Furthermore, in the presented QS schemes, the preshared secret key is used together with a random 
number, the receiver Bob will not obtain the same polarization qubits even though the same message 
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is signed again. Therefore, even if the secret key Ka is used several times, the adversary A still can 
not learn the secret key Ka and forge Alice's signature of the message P' favorable to him. 

Impossibility of disavowal Suppose Alice and Bob have disagreements or disputes. Then the 
arbitrator is needed to handle them. If Alice denies her signature, the arbitrator can confirm that 
Alice has signed the message since the information of Alice's secret key Ka is included in the signature 
\Sa)- Similarly, if Bob disavows the signature received, the arbitrator also can make sure that Bob 
has received the signature Sa of the message P, because he needs the assistance of the arbitrator to 
verify whether the signature is valid. Likewise, since both Ka and Kb are used together with random 
numbers, which ensures that the polarization qubits they generate are different each time, they can 
be used repeatedly. 

3.4 Efficiency analysis of the arbitrated QS schemes 

The efficiency of the QS schemes is generally considered in two aspects [T3] : (1) the total number of 
the transmitted quantum bits and classical bits when n-bit message is signed; (2) the complexity of 
performing a scheme, including the generation of initial information, quantum operations, comparison 
among quantum states, etc. In order to compare, we also adopt the formula rj — gf+ Bt used to 
estimate the efficiency, where B s — n, Qt and B t represent the number of signed message bits, 
transmitted quantum bits and exchanged classical bits, separately. Then we will consider these two 
aspects between our proposed schemes and other typical QS schemes. 

The proposed QS scheme with message recovery involves several security parameters, which could 
influence the efficiency of the scheme. The larger of the number of the signed message bits n and the 
smaller of the number of the security parameters I and mi, the higher of the efficiency of the scheme. 
For instance, if I = 5 and m-i = in terms of the formula, the efficiency of our QS scheme with 
message recovery is 10%; if I = ^ and mi = the efficiency of the scheme is 12%. According to 
the formula, the efficiency of Zeng's scheme [10], Lee's scheme with a public boardpj], Lee's scheme 
without a public board [II] . Lii's scheme [12] and Wang's scheme [H] is 9%, 12%, 11%, 11% and 
11%, respectively. While the scheme proposed by Gottesman and Chuang is not an efficient scheme 
[9], since signing an m-bit message uses up 0(m) qubits of the public key. The QS scheme with 
appendix presented by wang et al. could encode the classical message of any length into the quantum 
information of fixed length by using hash function to generate message digest [15] . While the proposed 
QS scheme with appendix also can sign the classical message of any length by utilizing hash function 
to produce the digest of the string including the message and random bits. 

The second aspect about efficiency of QS schemes concerns the complexity of carrying out a 
scheme. The scheme proposed by Gottesman and Chuang |9J does not need the arbitrator, but it needs 
a trusted key distributions center used to distribute keys to other participants. Zeng's scheme [lOj 
requires preparing and distributing GHZ states, and involves some complicated quantum operations 
such as performing a joint measurement on each message qubit and GHZ particles, carrying out Bell 
measurement on Bell states and comparing quantum states. Lee's schemes [llj also require using 
GHZ states, measuring GHZ particles and comparing qubit strings. Lii's scheme [12l H3] is rather 
complicated due to the use of quantum stabilizer codes and syndromes. Wang's schemes [UJ [IS] 
need not using GHZ states and only need performing von Neumann measurement, but the additional 
random secret bit string as message authentication code besides the key is needed in the initializing 
phase and the comparison of the qubit strings is still required. In addition, almost all the previously 
presented arbitrated QS schemes [TDl [HJ [12l [13l HH [15] did not consider how to use the key shared 
by the signatory and the arbitrator or by the receiver and the arbitrator repeatedly. Actually, if each 
time when a signatory needs to sign, the signatory and the receiver have to obtain a new key shared 
with the arbitrator via quantum key distribution protocol, the efficiency of the protocols would be 
affected greatly. While in our proposed QS schemes, GHZ states are not necessary, comparing qubit 
strings is not required, only von Neumann measurement is needed, and the signatory and the receiver 
can share and use a long-term key with the arbitrator by utilizing the key together with a random 
number. Therefore, the efficiency of the proposed QS schemes is largely improved. 
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4 On-line quantum payment system using the arbitrated QS 



Like classical payment system, quantum payment system, mainly involving quantum cash-like pay- 
ment system [1] and quantum check- like payment system [22], should be done on-line or off- line. 
Generally, the large-value payment transactions requiring higher security should rather be settled 
on-line whereas low-value payment transactions requiring less security could be handled off-line. In 
this paper, an on-line quantum check-like payment system taking the advantage of the arbitrated QS 
with appendix is proposed, which can provide high security. As a matter of fact, if the transaction 
information needs to be confidential, the arbitrated QS with message recovery can be utilized to 
construct a similar payment system. 

In the presented quantum check payment system, the check information consists of two parts 
somewhat similar to that in [22] . the first part which must be generated and signed by the payer is 
Pi = {pi\\p2\\P3\\p4\\P5\\pe\\P7) i where p\ is the name of the payee, P2 is the name of the payer, p$ 
is the account number of the payer, p^ is the amount of money, ps is the use of the check, p§ is the 
written date of the check and pj is the expiration date of the check. While the other part which 
should be generated and endorsed by the payee is Pi = (ps | |P9 1 |Pio) ? where p$ is the payee's name, pg 
is the payee's account number and pio is the amount of money. 

There are four kinds of participants in the on-line quantum check payment system: Payer, Payee, 
Issuer (or Issuing bank) and Acquirer (or Acquiring Bank). The presented payment sysytem includes 
four phases: Registration phase, Payment phase, Capture phase and Settlement phase. The payer 
owns the account at the issuing bank and the payee obtains the account at the acquiring bank through 
the registration phase. The quantum check payment system begins with the payment phase in which 
the payer sends the signed check to the payee. In the capture phase, the payee transmits the endorsed 
check to the acquiring bank who will receive the money from the issuing bank in the settlement phase. 
Figure 1 shows the basic model and detailed descriptions of the four phases are given in the following. 
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Figure 1: Basic model of quantum check payment system 



4.1 Registration phase 

If the payer wants to finish the payment by check, he has to register at the issuing bank and open a 
check account which can make him have the right to use checks. The payer can come to the issuing 
bank to complete the registration phase. This also can be accomplished using the following operations. 

1. The payer and the Issuer share more than 712-bit secret key K through quantum key distribution 
protocols [21 [3l |4| proved as unconditionally secure [16l [T7l [18] . 

2. The payer and the Issuer keep the first ri2-bit secret key K\ as a long-term shared key. The 
Issuer encrypts the payer's identity information U\ and check account information CA1\ with the 
other bits of the secret key K using quantum one-time pad, and sends the encrypted information to 
the payer. 
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3. The payer decodes the encrypted information and gets U\\\CAIi. 

Thus, after the registration, the payer and the Issuer share the secret key K\, the payer gets the 
check account information CAI\ and the Issuer stores U\\\CAIx in the database. Then the payer can 
deposit some money to his account at any convenient time and pay by check. 

The payee who may receive a check can register in the similar way at the acquiring bank. After 
the registration, the payee and the Acquirer share the secret key K 2 , the payee obtains the normal 
account information NAI 2 and the Acquirer stores U 2 \ \NAI 2 in the database. 

4.2 Payment phase 

When the payer and the payee carry out the transaction, the payer chooses to pay the goods or other 
services by check. Hence, in the payment phase, the payee generates and signs the the first part 
information of check, and then sends the signed check to the payee. The detailed performing process 
is as follows. 

1. The payer creates the first part information of the check: P\ — (pi ||P2||P3 Half's |b6||f>7) ■ 

2. The payer chooses a random number n {0, 1}' and computes R\ = h 3 (Ki, n, Pi) (n ||?7i). 

3. The payer obtains the signature \Si) = Mk x (»"i||-Ri) of P\ by encoding n | j-Ri relying on his 
secret key K x . li K\ = 0, \S[) is |0) (or |1)) when (ri||i?i) J = (or 1). If K\ = 1, \S{) is |+) (or |-)) 
when (ri||i?i) 1 = (or 1). 

4. The payer sends \S\) and Pi to the payee. This can be finished by transmitting \Si) with 
quantum channel and Pi with classical channel, or by transforming Pi to qubits \Pi) based on the 
basis R and then sending \Si) and \Pi) utilizing quantum channel. 

4.3 Capture phase 

In the capture phase, the payee generates and endorses the second part information of the check, and 
latter transmits the endorsed check to the acquiring bank. This can be completed by performing the 
following operations. 

1. After receiving \Si) and Pi, the payee produces the second part information of the check: 
Pi = Mbglbio)- 

2. The payee randomly chooses a number r 2 Er {0,1}' and computes R 2 = h 3 (K 2 ,r 2 , P 2 ) © 
(r 2 \\U 2 ). 

3. The payee endorses P 2 by encoding r 2 ||P 2 according to his secret key K 2 and obtains the results 
l^) = Mx 2 {r 2 \\R 2 ). The encoding way is similar to that the payer does in the payment phase. 

4. The payee transmits \Si), \S 2 ), Pi and P 2 to the acquiring bank. This can be done by sending 
I Si) and \S 2 ) with quantum channel and Pi and P 2 with classical channel, or by transforming Pi and 
P 2 to qubits I Pi) and \P 2 ) according to the basis R and then sending |Si), \S 2 ), |Pi) and \P 2 ) via 
quantum channel. 

4.4 Settlement phase 

Once the Acquirer receives |Si), \S 2 ), Pi and P 2 , the settlement phase can begin. The Acquirer 
cooperates with the Issuer to check whether the received check is valid. If the check is valid, they 
finish the virement between the payer's account and the payee's account. This can be done through 
the inner bank transaction. For simplicity, here we assume that the Acquirer and the Issuer are the 
same bank. The following is the detailed performing process. 

1. The bank measures the received qubits \Si) depending on the secret key Ki shared with the 
payer. If K{ = 0, then the qubit is measured based on the basis R; otherwise the basis D. When the 
bank obtains the measuring outcomes r[ \\R[, he computes r'[ \ \ U[ = /13 (Ki , r[ , Pi ) R[ . Hence he can 
verify whether is the same as rJJ|[/i. If r'[ ||£7-[ = r*^_ 1 1 C7" 1 , the bank would trust the payer and 
accept the payer's signature \Si) of Pi. Otherwise he confirms to the payee that there is something 
wrong with |«Si) and Pi and the transaction should be terminated. 

2. The bank measures the received qubits \S 2 ) relying on the secret key K 2 shared with the 
payee in the similar way. When the bank gains the measuring results r 2 ||P 2 , he computes 1 1 ^2 = 
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h 3 (K 2 ,r' 2 ,P 2 ) © R 2 . Thus he can check whether r 2 ' \ W 2 is identical to r' 2 \ \ U 2 ■ If r' 2 ' \ \ W 2 = r' 2 \ \ U 2 , the 
bank would believe in the payee and accept \S 2 ) as the payee's signature of P 2 . Else he confirms to 
the payer that the payee is not honest and the payment should be canceled. 

3. If | Si), \S 2 ), Pi and P 2 are all valid, the bank continues to check. If pi — p$ and p^ — pio, the 
bank debits the payer's account with the amount of money p<± and credits the payee's account with 
the amount of money pio; otherwise the bank rejects the virement between the payer's account and 
the payee's account and sends notifications to both of them. 

5 Conclusions 

In this paper, we propose two arbitrated quantum signature schemes, one with message recovery and 
the other with appendix, based on the three-party authenticated quantum key distribution protocol 
presented by Hwang et al [20] . In the proposed schemes, we need not prepare quantum entanglement 
states, do not require comparing qubits, only need implement von Neumann measurement, and provide 
a significant feature that both the signatory and the receiver can share and use a long-term secret key 
with the arbitrator. Thus our schemes can be performed with high efficiency. 

In addition, we construct an on-line payment system based on the proposed arbitrated QS with 
appendix. An on-line payment system is generally used in the large-value payment transactions and 
requires higher security. Compared with the classical payment system, the presented quantum pay- 
ment system does not depend on unproven computational assumptions such as the intractability of 
factoring large integer and solving discrete logarithm, which might be broken with a quantum com- 
puter [19j . but depend on basic principles of quantum mechanics. Thus the on-line quantum payment 
system can provide higher security and is more applicable for the large-value payment transactions. 
Compared with the quantum payment system presented by Al-Daoud [22], the quantum payment 
system proposed in this paper utilizes the arbitrated QS , needs not generate and distribute GHZ 
states, does not require performing complicated quantum operations such as CNot operation and Bell 
measurement and just needs to carry out von Neumann measurement. Therefore, the efficiency of the 
proposed system is greatly improved. 

In summary, we have proposed two efficient arbitrated QS schemes and have demonstrated the 
possibility of applying the arbitrated QS to the on-line quantum payment system. The work of this 
paper may promote the research of designing different QS schemes with special property to adapt to 
various types of quantum payment systems. 
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